Not Even a 55-Character Password Is Safe Anymore

Passwords are already scorned as an increasingly faulty and antiquated way to protect your private information online. A few guesses can be all it takes to give hackers free reign over everything from your credit card information to your social security number and home address. Thus, while many people still choose remarkably dumb passwords, savvier web users are creating longer and more complex passwords.

The trouble is, as quickly as our attempt at improved self-protection evolves, cybercrime is keeping up. Cracking passwords is easier than ever—be it for admirable whitehat deeds like testing password strength for security research, or blackhat crimes like hacking into individual, company, or even government accounts.

This weekend, the popular password cracker software Hashcat rolled out an update that makes it possible to break passwords up to 55 characters long—a big leap from the previous 15-character limit.

To be clear, we're talking about cracking encrypted, "hashed" passwords. To retrieve the original word, password recovery systems run millions of guesses through the same cryptographic function that first generated the hash value, and wait for a match. As you can imagine, the longer and more complicated the sequence, the more time this takes. But the process is advancing rapidly—now, the new version of Hashcat can conduct 8 billion guesses per second, with an unlimited number of tries.

One reason crackers are getting so adept at decoding passwords is the number of massive security breaches over the last few years, which have leaked millions of user passwords. Crackers can use this data to gain insight into how people choose passwords, and learn to develop more sophisticated algorithms to break them.

The two most common approaches to breaking passwords are brute force and dictionary search. Brute force is when a computer generates every possible combination of letters and numbers until one of them cracks the code. With dictionary searches, the computer tests every word in a dictionary of commonly used passwords, or phrases from literature, music lyrics, and so on.

Crackers are expanding these dictionaries to stay ahead of the game. As Ars Technica recently reported, a security researcher was recently able to crack the password "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1," because it was an occult phrase from the short story,The Call of Cthulhu.

Password breakers are also able to cut back the number of guesses by customizing the search, depending on the password policy of whomever they're attacking. You've probably noticed websites are getting more strict about password requirements—you need both an uppercase and lowercase letters, at least one number and special character, and on and on. Advanced cracking technology take these rules into account, allowing the computer to target its guesses accordingly.

The news doesn't bode well for passwords, which are already threatened by talk of using sci-fi realizations like electronic tattoos or personal ID chips to prove we're who we say we are. Bring it on, I say. I could never memorize 55 characters anyway.